Privacy Policy

Introduction

Welcome to Syftlearn, a comprehensive school management platform developed and operated by Syftware Solutions (hereinafter "we", "us", "our", or the "Company"), a company based in Kenya.

We are committed to safeguarding your privacy and handling personal data responsibly in accordance with applicable data protection laws, including the **Kenya Data Protection Act, 2019** ("DPA") as our primary framework, as well as principles aligned with international standards such as the GDPR (where relevant), COPPA (for users under 13), and other jurisdictional requirements.

This Privacy Policy describes how we collect, use, disclose, store, protect, and otherwise process personal data when you use the Syftlearn platform, website, or related services (collectively, the "Services"). It applies to all users, including school administrators, teachers, parents/guardians, students, and other stakeholders.

By accessing or using Syftlearn, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use our Services.

1. Information We Collect

1.1 Information You Provide Directly

We collect personal data you voluntarily provide when registering, using the Services, or interacting with the platform:

• Account & Profile Data: Full name, email address, password, phone number, role (administrator, teacher, parent/guardian, student), date of birth, gender, address, and profile photo (optional)
• Institutional Data: School name, school code, department, class/year group, and related institutional details
• Academic & Performance Data: Student records, grades, attendance, assessments, academic history, and progress reports
• Communication Data: Messages, notifications, feedback, support tickets, and any content you submit
• Financial Data: Tuition/fee records and payment-related information (processed securely via third-party providers; we do not store full card details)
• Uploaded Documents: Reports, certificates, assignments, and other files you upload

1.2 Information Collected Automatically

When you interact with Syftlearn, we automatically collect certain technical and usage data:

• Device & Browser Data: Device type/model, operating system, browser type/version, screen resolution
• Network Data: IP address, ISP, approximate location (derived from IP or timezone/language settings)
• Usage & Activity Data: Pages visited, features used, login/logout timestamps, session duration, and interaction logs
• Cookies & Similar Technologies: Session identifiers, preferences, and analytics tokens (see Section 2)
• Referral Data: Source of access (e.g., direct, search, referral link)

1.3 Information from Third Parties & School Accounts

We may receive personal data from:

• School administrators or authorized personnel who create or update user profiles
• Third-party service providers (e.g., payment processors, identity verification, or integrations)
• Analytics or security partners (aggregated/anonymized where possible)

2. Cookies and Tracking Technologies

2.1 Purpose of Cookies

Cookies and similar technologies help us provide, secure, and improve the Services by remembering preferences, enabling authentication, and analyzing usage.

2.2 Types of Cookies We Use

2.3 Specific Cookies Used

• PHPSESSID: Maintains secure session state
• remember_email / remember_school: "Remember Me" convenience (30 days)
• syftlearn_consent: Records cookie consent choice (12 months)
• syftlearn_analytics: Anonymized usage tracking (24 months)

2.4 Third-Party Cookies & Management

Limited third-party cookies may be used (e.g., analytics or payment providers), governed by their policies. You can manage preferences via our cookie banner, browser settings, or by contacting us. Note: Disabling essential cookies may impair platform access and functionality.

3. How We Use Your Information

We process personal data on the following lawful bases (primarily under the DPA): consent, performance of a contract, legitimate interests, legal obligations, and (where applicable) vital interests or public interest in education.

Key Purposes

• Providing, maintaining, and improving the Services (account creation, academic tools, notifications)
• Facilitating school-parent-teacher-student communication and academic management
• Processing payments and fee-related transactions (via secure third parties)
• Personalizing experience, sending service/administrative communications, and support
• Detecting/preventing fraud, abuse, security incidents, and unauthorized access
• Conducting analytics, research, and platform optimization (often anonymized/aggregated)
• Complying with legal obligations, responding to lawful requests, and protecting rights/safety

4. Data Security & Retention

4.1 Security Measures

We maintain appropriate technical and organizational measures, including:

• Encryption of data in transit (HTTPS/TLS) and at rest where appropriate
• Secure hashing of passwords and access credential protection
• Role-based access controls and least-privilege principles
• Firewalls, intrusion detection, regular vulnerability scanning, and security audits
• Secure backup and disaster recovery processes

4.2 Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, satisfy legal/educational retention obligations (e.g., academic records), or resolve disputes. Upon request or when no longer required, data is securely deleted or anonymized, subject to legal exceptions.

4.3 Limitations of Security

While we implement robust administrative, technical, and physical safeguards consistent with industry standards and the DPA, no internet-based system or data transmission can be guaranteed 100% secure. We cannot eliminate all security risks. You use Syftlearn at your own risk, and we encourage you to protect your account credentials.

5. Sharing & Disclosure of Information

5.1 Categories of Recipients

• Within Your School Community: Authorized school personnel, teachers, administrators (and parents/guardians for student data, as configured)
• Service Providers: Cloud hosting, analytics, payment processors, support tools (under strict data processing agreements)
• Legal & Regulatory: Public authorities, law enforcement, or regulators when required by law, court order, or to protect rights/safety

5.2 What We Do Not Do

• Sell personal data to marketers or advertisers
• Share passwords or full payment card details
• Disclose data to unrelated third parties without lawful basis

5.3 International Transfers & Safeguards

As a Kenya-based company, we primarily process data in secure facilities that meet DPA requirements. Where data is transferred outside Kenya (e.g., to cloud providers), we ensure appropriate safeguards such as standard contractual clauses, adequacy decisions, or binding corporate rules in line with DPA Section 48 and related regulations.

6. Your Rights as a Data Subject

Under the DPA and applicable laws, you have rights including (subject to verification and legal limitations):

• Access: Obtain confirmation of processing and a copy of your data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion when data is no longer necessary (subject to legal/educational retention obligations)
• Restriction: Limit processing in certain circumstances
• Data Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Where processing relies on consent (does not affect prior lawfulness)
• Complaint: Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya

6.1 How to Exercise Rights

Contact our Data Protection Officer at privacy@syftware.com with your request and proof of identity. We will respond within 30 days (or sooner if required by law) and may charge a reasonable fee for excessive/repetitive requests.

6.2 Children's Privacy (COPPA & DPA Alignment)

For students under 13 (or the applicable age under local law), we rely on verifiable parental/guardian consent before collecting or using personal data, in compliance with COPPA principles and DPA Section 33. Parents may access, correct, or request deletion of their child's data.

7. Third-Party Links & Integrations

The Services may link to or integrate with third-party websites/services (e.g., payment gateways). We are not responsible for their privacy practices—review their policies directly.

8. Changes to This Privacy Policy

We may update this Policy to reflect changes in practices, technology, or legal requirements. The "Last Updated" date indicates the revision date.

Material changes will be notified via email, in-platform notice, or both. Continued use after such changes constitutes acceptance.

9. Contact Us

For privacy questions, rights requests, or concerns:

• Data Protection Officer Email: privacy@syftware.com
• Company: Syftware Solutions, Kenya
• Website: www.syftware.com

We aim to respond promptly and within statutory timeframes. If unsatisfied, you may contact the Office of the Data Protection Commissioner (ODPC) in Kenya.

10. Legal Compliance & Governing Law

This Policy is governed by the laws of Kenya, particularly the Data Protection Act, 2019. We strive to align with recognized international standards to support global users and schools.

We comply with applicable regulations including:

• Kenya Data Protection Act, 2019 (primary framework)
• Principles aligned with GDPR, CCPA, COPPA, and education-sector data protection guidance
• Registration (where required) with the Office of the Data Protection Commissioner

Acknowledgment

Your use of Syftlearn constitutes acceptance of this Privacy Policy. Thank you for entrusting us with your school's data management needs—we are committed to protecting it responsibly.